Hong Kong companies may be well aware that robust cyber security measures are important to protect their business, but a majority of them are still vastly unprepared for cyber attacks, according to a new survey.

Ninety five per cent of Hong Kong companies surveyed are still in the early stages of security preparedness, according to a survey jointly conducted by security services company Quann and research firm IDC.

Over 150 security professionals from medium to large companies in Hong Kong, Singapore and Malaysia were surveyed.

In Hong Kong, significant issues identified included gaps in deploying security devices and an increased vulnerability to cyber attacks.

Such findings are “worrying”, said Quann managing director Foo Siang-tse, especially after the recent WannaCry and Petya ransomware incidents that crippled the services of corporations around the globe. Ransomware is a malicious cyber attack that encrypts a user’s files, requesting a ransom be paid before the files get released.

“Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable,” Foo said.

Many companies are simply not investing enough in IT security, despite the obvious threats

Quann managing director Foo Siang-tse

While most companies have basic security features such as firewalls and antivirus protection, over 60 per cent of companies do not have proper security intelligence and event management systems in place to monitor and raise alerts for anomalies.

Close to two-thirds of companies also lack dedicated teams that monitor and respond to the cyber security incidents flagged by these systems, while 44 per cent of respondents indicated that they did not have any incident response plans in place in the event of a cyber attack.

While experts today have called for board-level executives to pay attention to cyber security, the survey also found that only 12 per cent of Hong Kong companies invited security executives to board meetings or involved them in assessing risk.

“Not all C-suite [executives] in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools,” said Simon Piff, vice president of IDC’s Asia Pacific IT security practice.

Piff added that the consequences of not making preparations for cyber security threats could lead to legal disputes, customer dissatisfaction and even a loss of jobs in the organisation.